I'm attempting to use ListS3 to access a bucket in S3 and I've set up an AWSCredentialsProviderControllerService. However, when I run this processor it returns with 

The security token included in the request is invalid (Service: AWSSecurityTokenService; Status Code: 403; Error Code: InvalidClientTokenId)

I can run from the aws cli without issue, and both the command line and NiFi are running the same user. I'm just stumped as to why it's failing on NiFi but not on the cli when I run as the nifi user. It seems like it can't see my profilename profile which is already configured with the region, the role_arn, and the credential_source. 

On the cli, I run 

aws s3 cp s3://bucket/path/to/file.file /path/to/dest --profile profilename

The configs for the Controller Service are 

Use Default Credentials: false
Access Key: No value set
Secret Key: No value set
Credentials File: No value set
Profile Name: profilename
Use Anonymous Credentials: false
Assume Role ARN: arn:aws:iam:00000000000:role/bucket
Assume Role Session Name: default
Session Time: 3600

I'm just not clear why this isn't working in NiFi but is working on the cli, and I'm at a loss as to how to fix it.